2018 saw a number of large companies suffer from huge data breaches, but it’s so commonplace these days that every announcement seems to follow a standard process: we read about it in the press, mutter to ourselves ‘oh that’s bad’ and then we move on to read the next news story.
For the companies involved, they, too, go through a standard process: they will most likely suffer a significant dip in their share price, a big dent in their reputation and then a sizeable PR bill as they try to recover their public image and smooth the waters.
This was the case for Marriott Hotels when, in November, they announced that half a billion customer records were compromised. This breach can be seen as completely inexcusable, demonstrating not only a lack of technical security, but also a complete absence of organisational security, too.
But with a breach this big, Marriott should also be worried that they could follow in Equifax’s footsteps and be subjected to a class action law suit.
In 2017 Equifax, the consumer credit reporting agency, suffered from one of the most highly publicised and sensitive cyber security hacks in history, when personal information for around 145.5m individuals was exposed. It was data relating mostly to Americans, but also Canadian and British consumers were exposed.
The incident prompted over 240 individual class action lawsuits in the US and then a rare 50-State class action suit was served on the company. It is reported that Equifax has spent over $88m as a result of the breach and that their profits have fallen by $35m. Their CEO stepped down in the wake of the incident and then the company’s CIO and CSO retired a week after the announcement, too.
This fall from grace has been very publicly documented, but will it have any impact on other businesses? I doubt it. I am not aware of any great impact on Marriott’s cyber security efforts.
Think of data security as a line. At one end we have an encrypted hard drive, buried deep in concrete under a 100-storey building. It’s extremely secure but not at all usable. At the other end of the line is a computer in a public space, connected 24/7 to the internet with no password protection. This is very easily accessible, but incredibly insecure. Security policy is about finding the right point on that line between those two extremes. All organisations have to decide for themselves where the right balance is between usability and security for them.
Organisations should be asking themselves: ‘Could we do more to prevent a data breach?’ The answer will always be ‘Yes’, but then someone needs to evaluate whether the options are sensible, practical and affordable.
And there lies the rub. It could cost a company a sizeable chunk of cash to implement the necessary changes, but the alternative could be a lot worse. AIR Worldwide has estimated the breach will cost Marriott around $600m, so even if the cost of getting it right were as much as $20m, it would only be a drop in the ocean compared to the impact of a breach.
There are a lot of companies out there who will never learn from these examples. They are just sticking their heads in the sand and assuming that it will never happen to them, because in the words of Del Amitri: ‘And nothing ever happens, nothing happens at all - the needle returns to the start of the song and we all sing along like before…’